11

I have a very restricted user in my ssh server created with --no-create-home and --shell /bin/false. I know I can define authorized_keys file in sshd_configs for the user's public key. But how can I allow public key authentication for this user without requiring to access any files on OS?

Mojtaba Rezaeian
  • 491
  • 5
  • 15
  • 2
    I'm not sure what are you asking for exactly. Does diya's answer solve your problem? What exactly do you want your restricted user to do after logging in? – ciamej Oct 09 '22 at 19:29
  • 1
    @ciamej In my case this limited user is defined for tcp_forwarding (local ssh tunneling). I think diya's answer is useful for more complicated situations. I was thinking maybe a very simple command could be used or defined for a user to define known public keys, as simple as defining a password while creating a user. – Mojtaba Rezaeian Oct 10 '22 at 22:24

2 Answers2

15

diya has already explained that you could change to AuthorizedKeysCommand for retrieving the public key of a user.

However, it's probably easier for you to place the authorized_keys file somewhere else. For example you could set AuthorizedKeysFile /etc/ssh/authorizedkeys/%u and place the file that would have been at ~username/.ssh/authorized_keys at /etc/ssh/authorizedkeys/username instead.

And, if you want to change it only for this user (so other users still have their authorized_keys at ~/.ssh/), you could use

Match User username
AuthorizedKeysFile /some/path/username_authorized_keys
Ángel
  • 892
11

The alternative to a file with public keys is the openssh server directive AuthorizedKeysCommand which allows you to configure your sshd daemon to run a specific helper program to retrieve the public keys that you would normally store and deploy in a users ˜/.ssh/authorized_keys file.

Using a LDAP directory is one common solution, querying an API or (MySQL) database are other examples.

See for example:

diya
  • 1,839